[ale] OT: laptops on a network, security

Jonathan Rickman jonathan at xcorps.net
Thu May 29 22:33:24 EDT 2003 

On Thu, 29 May 2003, Transam wrote:

> Worthless.  If someone has an accountant on a school system, he can use
> the same authentication for his laptop and he can pick a MAC address and
> IP of a school computer that has been turned off.

I suppose this all boils down to the classic security vs. practicality
argument that can't be discounted. Do you want to stop the casual
interloper while only slowing down the determined attacker, or do you want
to totally lock down every possible entry point. If I were doing an
assessment on this professionally, I'd first want to know what your goals
are. Are you trying to protect specific systems from these interlopers?
Are you trying to limit network access "just because" (maybe time to
review policies)? Are you trying to protect the rest of the world from
your network (read:limit liability)? Or is it a combination? If so, what
are the priorities. You might find it useful to alter policies to allow a
"free for all" setup and treat the "at large" campus network as an
untrusted net altogether, much like a wireless segment. You could use
outbound ACLs at the edge router or firewall to restrict this network
based on the DHCP scope and set up a proxy for legit users. There are
about a thousand different ways to do this sort of thing, but only about
20 of them are practical, both from an administrative and cost
perspective. It's not really a question of whether or not it can
be secured...because the answer is simply no. The answer is no, because
you have literally no physical security in this scenario. Without that,
all bets are off. It's more a question of how many obstacles can you
afford to put in front of the potential bad guy, and will that slow him
down enough to give you time to react. This sort of thing is exactly why I
advocate host based security over network security all the time.

--
Jonathan Rickman
X Corps Security
http://www.xcorps.net


_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list